AMENDMENT TO THE CLAIMS 

Please amend claim 1 , 23, and 30 to read as follows: 

1 . (Currently Amended) A method for implementing an intrusion 
detection system in a network, comprising: 

receiving a request from a central server at a software agent program 
installed on each of a plurality of remote computers to initiate intrusion detection 
services on a -each respective one of the plurality of remote computers, wherein the 
request is issued by the central server in response to a notification of a network 
intrusion; 

installing intrusion detection software on said remote computers via said 
software agent program; and 

executing said intrusion detection software on said remote computers via 
said software agent program. 

2. (Previously Presented) The method of claim 1 further comprising: 
receiving from the central server a request to terminate intrusion detection 

services at said software agent program. 

3. (Original) The method of claim 2 further comprising: 
monitoring for fulfillment of a stop condition. 

4. (Original) The method of claim 3 wherein said stop condition is 
based on network traffic conditions. 

5. (Previously Presented) The method of claim 3 wherein said stop 
condition is an expiration time. 

6. (Canceled) 
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7. (Previously Presented) The method of claim 1 further comprising 

the step of: 

selecting said remote computers from a plurality of eligible computers. 

8. (Original) The method of claim 7 wherein said selecting step is 
accomplished based on a network map. 

9. (Original) The method of claim 7 wherein said selecting step is 
accomplished based on a knowledge base. 

10. (Original) The method of claim 1 wherein said request is verified 
using a cryptographic authentication scheme. 

1 1 . (Original) The method of claim 1 wherein said request includes a 
stop condition indicating when to stop executing the intrusion detection software. 

12. (Previously Presented) The method of claim 1 1 wherein said stop 
condition is an expiration time. 

13. (Original) The method of claim 1 1 wherein said stop condition is 
based on network traffic conditions. 

14. (Original) The method of claim 7 wherein said request is verified 
using a cryptographic authentication scheme. 

15-22 (Canceled) 

23. (Currently Amended) A system for detecting intrusions in a 
computer network comprising: 

a plurality of computers executing software agents; 
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an intrusion detection server; and 

a database configured to store at least one rule defining at least one 
response to a network intrusion, wherein said intrusion detection server is configured to 
send a request to install and execute intrusion detection software to software agents at 
a -the plurality of the computers when intrusion detection services are needed based on 
the at least one rule stored in said database. 

24. (Original) The system of claim 23 wherein said intrusion detection 
server increases the number of said plurality of computers executing intrusion detection 
software when a network intrusion is detected. 

25. (Original) The system of claim 23 wherein said intrusion detection 
server changes the number of said plurality of computers executing intrusion detection 
software when the level of network traffic changes. 

26. (Original) The system of claim 23 wherein said intrusion detection 
server changes the number of said plurality of computers executing intrusion detection 
software depending on the time of day. 

27. (Original) The system of claim 23 wherein said database contains 
information about the plurality of computers. 

28. (Original) The system of claim 27 wherein said information 
includes a map of said computer network. 

29. (Original) The system of claim 23 wherein said database contains 
a knowledge base. 

30. (Currently Amended) An article of manufacture comprising a 
computer-readable medium having stored thereon instructions adapted to be executed 
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by a processor, the instructions wliicli, wlien executed, define a series of steps to be 

used to perform network intrusion detection, said steps comprising: 

receiving notification of a network intrusion at a central server : 
transmitting an intrusion detection software installation request from the 

central server to a plurality of remote computers in response to the notification; and 
installing intrusion detection software on a-the plurality of remote 

computers via a software agent program in response to the request. 

31. (Canceled) 

32. (Previously Presented) The article of manufacture of claim 30, 
further comprising the step of selecting said remote computers from a plurality of eligible 
computers. 

33. (Original) The article of manufacture of claim 32 wherein said 
selecting step is accomplished based on a network map. 

34. (Original) The article of manufacture of claim 32 wherein said 
selecting step is accomplished based on a knowledge base. 

35. (Original) The article of manufacture of claim 30 wherein said 
request is verified using a cryptographic authentication scheme. 

36. (Original) The article of manufacture of claim 30 wherein said 
request includes a stop condition indicating when to stop executing the intrusion 
detection software. 

37. (Original) The article of manufacture of claim 36 wherein said stop 
condition is an expiration time. 
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38. (Original) The article of manufacture of claim 36 wherein said stop 
condition is based on network traffic conditions. 

39. (Previously Presented) The method of claim 1 , wherein intrusion 
detection services are initiated at a plurality of remote computers selected based on a 
number of intrusion detection platforms that are currently active. 

40. (Previously Presented) The method of claim 1 , wherein intrusion 
detection services are initiated at a plurality of remote computers selected based on 
predetermined numbers of maximum and minimum limits on a number of intrusion 
detection platforms. 

41 . (Previously Presented) The method of claim 1 1 , wherein the stop 
condition applies to all eligible computers. 

42. (Previously Presented) The method of claim 2, further comprising 
monitoring for fulfillment of a stop condition at each of the plurality of remote computers 
executing intrusion detection software. 

43. (Previously Presented) The method of claim 42, wherein the stop 
condition for each of the plurality of computers is based on a time during which each of 
the plurality of computers has been executing instruction detection software. 



